bf29b2f520b9fdbe5614450d4fb05da7fd54b8f0edccd8d80dc3d5f1bc787eef

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe
Size

180KB
MD5

9bd223db2855b3132105851b1eab8c6c
SHA1

bc9fba551d039a6c5b5b61aee62c34ee35c7fdb4
SHA256

bf29b2f520b9fdbe5614450d4fb05da7fd54b8f0edccd8d80dc3d5f1bc787eef
SHA512

54e6b019c2e0c08ab5f130bf95dc8fe9c1d4a9298d664fa1296575331a2fa9a34e381599de6c548840da9a99215bf45e8b786dd4ac419cbc3d726c134a3436cd
SSDEEP

3072:jEGh0o0lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG6l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E6744C89-B4BD-4671-ADC9-457D07926505}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F3D00463-E761-445e-B634-EF0A8D196956}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B844D810-EDF9-4d76-B85C-D0E752D186D5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe{E6744C89-B4BD-4671-ADC9-457D07926505}.exe{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe{F3D00463-E761-445e-B634-EF0A8D196956}.exe{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B844D810-EDF9-4d76-B85C-D0E752D186D5}	{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD54F71D-C34E-474d-A5A3-67BAAF133995}	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD54F71D-C34E-474d-A5A3-67BAAF133995}\stubpath = "C:\\Windows\\{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe"	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3D00463-E761-445e-B634-EF0A8D196956}\stubpath = "C:\\Windows\\{F3D00463-E761-445e-B634-EF0A8D196956}.exe"	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C29E052-6EF2-4f16-9CDE-287139DC09F0}	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74703B27-A60C-4ac7-934A-8DAA0E264044}\stubpath = "C:\\Windows\\{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe"	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}\stubpath = "C:\\Windows\\{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe"	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}\stubpath = "C:\\Windows\\{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe"	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B2F5320-CCB8-4d66-9045-D193437EE801}	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F366BAA-43FF-437a-B060-89970EFB5E83}\stubpath = "C:\\Windows\\{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe"	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6744C89-B4BD-4671-ADC9-457D07926505}	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D901B43-079A-44c6-9A08-7ADF3FA7930B}	{F3D00463-E761-445e-B634-EF0A8D196956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74703B27-A60C-4ac7-934A-8DAA0E264044}	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F366BAA-43FF-437a-B060-89970EFB5E83}	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6744C89-B4BD-4671-ADC9-457D07926505}\stubpath = "C:\\Windows\\{E6744C89-B4BD-4671-ADC9-457D07926505}.exe"	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D901B43-079A-44c6-9A08-7ADF3FA7930B}\stubpath = "C:\\Windows\\{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe"	{F3D00463-E761-445e-B634-EF0A8D196956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C29E052-6EF2-4f16-9CDE-287139DC09F0}\stubpath = "C:\\Windows\\{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe"	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B2F5320-CCB8-4d66-9045-D193437EE801}\stubpath = "C:\\Windows\\{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe"	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3D00463-E761-445e-B634-EF0A8D196956}	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DCE417D-FE79-4dae-951E-A8D86157A207}	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DCE417D-FE79-4dae-951E-A8D86157A207}\stubpath = "C:\\Windows\\{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe"	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B844D810-EDF9-4d76-B85C-D0E752D186D5}\stubpath = "C:\\Windows\\{B844D810-EDF9-4d76-B85C-D0E752D186D5}.exe"	{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe

Executes dropped EXE 12 IoCs

Processes:

{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe{E6744C89-B4BD-4671-ADC9-457D07926505}.exe{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe{F3D00463-E761-445e-B634-EF0A8D196956}.exe{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe{B844D810-EDF9-4d76-B85C-D0E752D186D5}.exe

pid	process
1488	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
4608	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
5084	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
3176	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
4340	{F3D00463-E761-445e-B634-EF0A8D196956}.exe
4548	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe
4844	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
756	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
4436	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
3316	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
2480	{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe
592	{B844D810-EDF9-4d76-B85C-D0E752D186D5}.exe

Drops file in Windows directory 12 IoCs

Processes:

{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe{E6744C89-B4BD-4671-ADC9-457D07926505}.exe{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe{F3D00463-E761-445e-B634-EF0A8D196956}.exe{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe

description	ioc	process
File created	C:\Windows\{F3D00463-E761-445e-B634-EF0A8D196956}.exe	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
File created	C:\Windows\{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
File created	C:\Windows\{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
File created	C:\Windows\{B844D810-EDF9-4d76-B85C-D0E752D186D5}.exe	{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe
File created	C:\Windows\{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe
File created	C:\Windows\{E6744C89-B4BD-4671-ADC9-457D07926505}.exe	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
File created	C:\Windows\{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
File created	C:\Windows\{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
File created	C:\Windows\{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
File created	C:\Windows\{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
File created	C:\Windows\{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe	{F3D00463-E761-445e-B634-EF0A8D196956}.exe
File created	C:\Windows\{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe{E6744C89-B4BD-4671-ADC9-457D07926505}.exe{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe{F3D00463-E761-445e-B634-EF0A8D196956}.exe{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1892	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1488	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
Token: SeIncBasePriorityPrivilege	4608	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
Token: SeIncBasePriorityPrivilege	5084	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
Token: SeIncBasePriorityPrivilege	3176	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
Token: SeIncBasePriorityPrivilege	4340	{F3D00463-E761-445e-B634-EF0A8D196956}.exe
Token: SeIncBasePriorityPrivilege	4548	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe
Token: SeIncBasePriorityPrivilege	4844	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
Token: SeIncBasePriorityPrivilege	756	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
Token: SeIncBasePriorityPrivilege	4436	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
Token: SeIncBasePriorityPrivilege	3316	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
Token: SeIncBasePriorityPrivilege	2480	{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1892 wrote to memory of 1488	1892	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
PID 1892 wrote to memory of 1488	1892	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
PID 1892 wrote to memory of 1488	1892	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
PID 1892 wrote to memory of 548	1892	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe	cmd.exe
PID 1892 wrote to memory of 548	1892	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe	cmd.exe
PID 1892 wrote to memory of 548	1892	2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe	cmd.exe
PID 1488 wrote to memory of 4608	1488	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
PID 1488 wrote to memory of 4608	1488	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
PID 1488 wrote to memory of 4608	1488	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
PID 1488 wrote to memory of 592	1488	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe	cmd.exe
PID 1488 wrote to memory of 592	1488	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe	cmd.exe
PID 1488 wrote to memory of 592	1488	{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe	cmd.exe
PID 4608 wrote to memory of 5084	4608	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
PID 4608 wrote to memory of 5084	4608	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
PID 4608 wrote to memory of 5084	4608	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
PID 4608 wrote to memory of 2452	4608	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe	cmd.exe
PID 4608 wrote to memory of 2452	4608	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe	cmd.exe
PID 4608 wrote to memory of 2452	4608	{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe	cmd.exe
PID 5084 wrote to memory of 3176	5084	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
PID 5084 wrote to memory of 3176	5084	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
PID 5084 wrote to memory of 3176	5084	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
PID 5084 wrote to memory of 4200	5084	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe	cmd.exe
PID 5084 wrote to memory of 4200	5084	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe	cmd.exe
PID 5084 wrote to memory of 4200	5084	{E6744C89-B4BD-4671-ADC9-457D07926505}.exe	cmd.exe
PID 3176 wrote to memory of 4340	3176	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe	{F3D00463-E761-445e-B634-EF0A8D196956}.exe
PID 3176 wrote to memory of 4340	3176	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe	{F3D00463-E761-445e-B634-EF0A8D196956}.exe
PID 3176 wrote to memory of 4340	3176	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe	{F3D00463-E761-445e-B634-EF0A8D196956}.exe
PID 3176 wrote to memory of 4316	3176	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe	cmd.exe
PID 3176 wrote to memory of 4316	3176	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe	cmd.exe
PID 3176 wrote to memory of 4316	3176	{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe	cmd.exe
PID 4340 wrote to memory of 4548	4340	{F3D00463-E761-445e-B634-EF0A8D196956}.exe	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe
PID 4340 wrote to memory of 4548	4340	{F3D00463-E761-445e-B634-EF0A8D196956}.exe	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe
PID 4340 wrote to memory of 4548	4340	{F3D00463-E761-445e-B634-EF0A8D196956}.exe	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe
PID 4340 wrote to memory of 2380	4340	{F3D00463-E761-445e-B634-EF0A8D196956}.exe	cmd.exe
PID 4340 wrote to memory of 2380	4340	{F3D00463-E761-445e-B634-EF0A8D196956}.exe	cmd.exe
PID 4340 wrote to memory of 2380	4340	{F3D00463-E761-445e-B634-EF0A8D196956}.exe	cmd.exe
PID 4548 wrote to memory of 4844	4548	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
PID 4548 wrote to memory of 4844	4548	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
PID 4548 wrote to memory of 4844	4548	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
PID 4548 wrote to memory of 60	4548	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe	cmd.exe
PID 4548 wrote to memory of 60	4548	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe	cmd.exe
PID 4548 wrote to memory of 60	4548	{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe	cmd.exe
PID 4844 wrote to memory of 756	4844	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
PID 4844 wrote to memory of 756	4844	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
PID 4844 wrote to memory of 756	4844	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
PID 4844 wrote to memory of 1408	4844	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe	cmd.exe
PID 4844 wrote to memory of 1408	4844	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe	cmd.exe
PID 4844 wrote to memory of 1408	4844	{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe	cmd.exe
PID 756 wrote to memory of 4436	756	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
PID 756 wrote to memory of 4436	756	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
PID 756 wrote to memory of 4436	756	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
PID 756 wrote to memory of 4976	756	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe	cmd.exe
PID 756 wrote to memory of 4976	756	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe	cmd.exe
PID 756 wrote to memory of 4976	756	{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe	cmd.exe
PID 4436 wrote to memory of 3316	4436	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
PID 4436 wrote to memory of 3316	4436	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
PID 4436 wrote to memory of 3316	4436	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
PID 4436 wrote to memory of 400	4436	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe	cmd.exe
PID 4436 wrote to memory of 400	4436	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe	cmd.exe
PID 4436 wrote to memory of 400	4436	{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe	cmd.exe
PID 3316 wrote to memory of 2480	3316	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe	{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe
PID 3316 wrote to memory of 2480	3316	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe	{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe
PID 3316 wrote to memory of 2480	3316	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe	{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe
PID 3316 wrote to memory of 4280	3316	{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_9bd223db2855b3132105851b1eab8c6c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
C:\Windows\{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
C:\Windows\{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0F366~1.EXE > nul
4⤵
PID:2452

C:\Windows\{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
C:\Windows\{E6744C89-B4BD-4671-ADC9-457D07926505}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
C:\Windows\{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FD54F~1.EXE > nul
6⤵
PID:4316

C:\Windows\{F3D00463-E761-445e-B634-EF0A8D196956}.exe
C:\Windows\{F3D00463-E761-445e-B634-EF0A8D196956}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe
C:\Windows\{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
C:\Windows\{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
C:\Windows\{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
C:\Windows\{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
C:\Windows\{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe
C:\Windows\{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\{B844D810-EDF9-4d76-B85C-D0E752D186D5}.exe
C:\Windows\{B844D810-EDF9-4d76-B85C-D0E752D186D5}.exe
13⤵
- Executes dropped EXE
PID:592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4DCE4~1.EXE > nul
13⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74703~1.EXE > nul
12⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3C29E~1.EXE > nul
11⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{311B2~1.EXE > nul
10⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8C84D~1.EXE > nul
9⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8D901~1.EXE > nul
8⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F3D00~1.EXE > nul
7⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6744~1.EXE > nul
5⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6B2F5~1.EXE > nul
3⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F366BAA-43FF-437a-B060-89970EFB5E83}.exe

Filesize
180KB

MD5
edd18e01aec626a4bcd43622fc42e9e5

SHA1
0c5ecb9eba92c787c3e6c62f40a32710d39fd3ec

SHA256
8e6b0abb7b5a8ba4663869b25b8a35df556c83c78d08f9bdefc1e5743b892b18

SHA512
1ef9beaf1e4d9a9adf2bb25615358cc432ea77fa8035bf479bb27db9e9089ed153e311ed4875c19ef021dbfc08fb2df39826bd4f1553bc0d82065ddfedf652e1

Download Submit
C:\Windows\{311B2D8B-E6F1-40e6-9C16-DED3BC704DCB}.exe

Filesize
180KB

MD5
0b0d885ad2394b311ce333e2ca0efea6

SHA1
a11e217b23b2528532dbc08f69fb0b89bb2f51cf

SHA256
015ac98924564dbd03e5c02bc9004c9edb5849860eb37851dc603b74ae10cfc3

SHA512
36c876d8189cfdb1ff3f67be4ea50d880e8bf9219273db1a0685c26e532f516317c8b01aeab0db8db3e14e8b2c82a6f4dd5e1cb2511d30930c9e31ff264c0a6d

Download Submit
C:\Windows\{3C29E052-6EF2-4f16-9CDE-287139DC09F0}.exe

Filesize
180KB

MD5
96221d700829404d5ea857438204510d

SHA1
8257203f7fb8a68330a29763a50438999569ff4d

SHA256
eb23d55cb87a50eeb90c00dcf2f5e7a386acc34b01cb773bd2ff928e20aad6ec

SHA512
374dd6f1f705a8a04e038d6d49feb2ba5b443b132b86b03cde64f38387b719951a87d65d0b4c0740a3104995bd700e8b3989cb6d601bc6fbce17e5b9d00aa4e0

Download Submit
C:\Windows\{4DCE417D-FE79-4dae-951E-A8D86157A207}.exe

Filesize
180KB

MD5
aad52656679de078e4a13236aad3762d

SHA1
dd82ccacdc37ab4e4953755b7c910761933c820b

SHA256
62a7cbf44125f36a920bb06374c126ab11b2f7542eb088315deb13b2a9b53d7b

SHA512
e609824836bd421c83687ff4fe48b9b5be12cda06cc915f09da8859adbdc97c682a8ee5b2088f810fd4be7eefadc8e4e9f790a211ee32cba443a03db92ee3697

Download Submit
C:\Windows\{6B2F5320-CCB8-4d66-9045-D193437EE801}.exe

Filesize
180KB

MD5
7790884384401983007c6553ee56c975

SHA1
fa909f54ae6480065a99f405748a984b37ea9154

SHA256
6a3bc57869889eecb13afa0b4d11563f170a4cacb920dbbbfb53631c4d8896f3

SHA512
65906f79c9d130c7808e1974ef713424ecd56d9fbb2ee5bfb94b7e9f02fd478d680353ef3497c7bf12865dff1f4c1199b194d97c6aaa797bdd29d578f8e31d27

Download Submit
C:\Windows\{74703B27-A60C-4ac7-934A-8DAA0E264044}.exe

Filesize
180KB

MD5
fa04865878625298722096376e3e3bed

SHA1
2b786018d946db124c096bc69a0a0854f9f66718

SHA256
22feeba5b2c6b4ea5478f17e53cff0784bc3a262f8cec11310f2f4576329278f

SHA512
fece8b8efc2c2ced2eb5ee55abba2166ed22951cbe6bf4d34442f17adbb4115b945806ba152e0fcd6ffab643f5fc311e3a335d3d09df37d0da1828cef7a68614

Download Submit
C:\Windows\{8C84D8E8-CC23-4225-9CCB-A2758C888FD1}.exe

Filesize
180KB

MD5
8ff1e78bf585fa11776eda83095439ae

SHA1
fea0515e61bf183ec2edf0a507aee89baf0a6419

SHA256
84a2ad7a9f368c858f7951fe396fa1a3357ed9e2ad8f7e587ad9a5d25f4f55cb

SHA512
9ce58f51297e9e866f0ed5cbe2c9bcf208ebe68e559be9f8c1355e107f8ef63f356ec129f8d2e2e0cf6dd3ecc21309ae2c2d6f4c8aed92af2abf1f04bf571278

Download Submit
C:\Windows\{8D901B43-079A-44c6-9A08-7ADF3FA7930B}.exe

Filesize
180KB

MD5
f7c86f6fce2cc2d56a3f6785e25d1218

SHA1
78ec42ad4ca2cf5f1b75f3aac99bdbf2a11d5e23

SHA256
896751be582292b2891f90d69238f9d7e34013d3b66ae8cbb895d4a35242917e

SHA512
a39a35bd22259f4f74e31aefdffb02865c3bc8cf64e09704d90af671f8cc290ff11c375e091f6f7d1e5ab97c997b68d50ad244b60df0a8d23bdfe0372c0e5e26

Download Submit
C:\Windows\{B844D810-EDF9-4d76-B85C-D0E752D186D5}.exe

Filesize
180KB

MD5
f142ad06ebf3249fc91b5494b48ac8ed

SHA1
88bb9fba77653e6ed96f97d9af17ff4dc8ba38ec

SHA256
cfd81da191d3a50b07e86d293f40764e5538e0928471fe73d3bc6e7347eebd49

SHA512
671d346d58f23657d4c200ad36979a3cb78e5b7c6dceed5b26c4a34de4ea85cbab95abbd3bacc76347664c3c7c97bb52e1d340e4be6bf68a3d34d54f3cb97924

Download Submit
C:\Windows\{E6744C89-B4BD-4671-ADC9-457D07926505}.exe

Filesize
180KB

MD5
143ab2f1848d38bc9d21c43e3d8d1a24

SHA1
68abdfb77633faf860c9c3312ec747c254073a00

SHA256
b5892ae5af27c3f3b8f254d4d8e00d91daac8a08758e1a58e9d242cc5db8e9c1

SHA512
9bb7606508e0ec95a848cc526f519d0bd144959fb559656dcf0a390e6e27647a16f68af51ceddef8e547460025ce5954e1d077bbd1d634b2937799ddc335bb94

Download Submit
C:\Windows\{F3D00463-E761-445e-B634-EF0A8D196956}.exe

Filesize
180KB

MD5
4265151adc22fcfa6e36bfbef5947d8b

SHA1
3e06e707a72ef2d73496f51e0fa927f2ada8176d

SHA256
a7a53a02eb630765312f044085fc3ba546dc908625e436bd551a9b005f829edc

SHA512
017373575245fcc7704b859bc7b406deb675f0762ea853bdc346b794fdcf4a3b83eaf34c21f90b0aaf55886ee7b320fb8cd0c03226bb029b0b3c3496359b8b88

Download Submit
C:\Windows\{FD54F71D-C34E-474d-A5A3-67BAAF133995}.exe

Filesize
180KB

MD5
83039b9105ea03b5852f5cd09488e964

SHA1
ac3102618f29c6563b12cf6886b4763cc32858b1

SHA256
7b7750dfb3155fc9b657b30cdae793558303b320c4761b8948e55a8926b2ab7e

SHA512
98a4f09e633844dd7bc3d46b06812ce336bc2a59f1a820d3ef2ab3f8d618ff727336e262a505d3060d69561e05b1dc9632f124d53387f79cea2e5f392a5ece97

Download Submit